ironic

History

Julia Kreger 9603b8612e Fix Cinder Integration fallout from CVE-2023-2088 In the recent change to cinder, to address CVE-2023-2088, cinder changed the policy rules and behavior for unbinding, or "detaching" a volume. This was because of a vulnerability in compute nodes where a volume which was in use by a VM could be detached outside of Nova, and nova wouldn't become aware the volume was detached, and the volume could be accessible to the next VM. This vulnerability doesn't apply to bare metal operations as volumes are attached to whole baremetal nodes with Ironic. We now generate and use a service token when interacting with Cinder which allows cinder to recognize "this request is coming from a fellow OpenStack service", and by-pass checking with Nova if the "instance" is managed by Nova, or Not. This allows the volumes to be attached, and detached as needed as part of the power operation flow and overall set of lifecycle operations. Note: This change is modified from the original upstream chnage becuse that change leverages the ability for a project_id value to no longer be required in the cinder URL for interactions with cinder, which was a requirement removed in Yoga. Additional note: Disables the rescue testing on one of the wallaby branch jobs. Essentially is is a tempest branching, or lack their of issue. Master branch ironic-tempest-plugin has a fix which doesn't exist on tempest 29.0.0. Related-Bug: 2004555 Closes-Bug: 2019892 Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217 (cherry picked from commit `9c0b4c90a1`) (cherry picked from commit `cb38746f71`)	2023-06-01 15:18:45 +00:00
..
ironic-jobs.yaml	Fix Cinder Integration fallout from CVE-2023-2088	2023-06-01 15:18:45 +00:00
project.yaml	CI: Reduce overall test load	2022-10-10 08:32:20 -07:00

Julia Kreger 9603b8612e Fix Cinder Integration fallout from CVE-2023-2088

In the recent change to cinder, to address CVE-2023-2088,
cinder changed the policy rules and behavior for unbinding,
or "detaching" a volume. This was because of a vulnerability
in compute nodes where a volume which was in use by a VM
could be detached outside of Nova, and nova wouldn't become
aware the volume was detached, and the volume could be accessible
to the next VM.

This vulnerability doesn't apply to bare metal operations as
volumes are attached to whole baremetal nodes with Ironic.

We now generate and use a service token when interacting with
Cinder which allows cinder to recognize "this request is
coming from a fellow OpenStack service", and by-pass
checking with Nova if the "instance" is managed by Nova,
or Not. This allows the volumes to be attached, and detached
as needed as part of the power operation flow and overall
set of lifecycle operations.

Note: This change is modified from the original upstream chnage
becuse that change leverages the ability for a project_id value
to no longer be required in the cinder URL for interactions with
cinder, which was a requirement removed in Yoga.

Additional note: Disables the rescue testing on one of the wallaby
branch jobs. Essentially is is a tempest branching, or lack their
of issue. Master branch ironic-tempest-plugin has a fix
which doesn't exist on tempest 29.0.0.

Related-Bug: 2004555
Closes-Bug: 2019892

Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
(cherry picked from commit 9c0b4c90a1)
(cherry picked from commit cb38746f71)

2023-06-01 15:18:45 +00:00

ironic-jobs.yaml Fix Cinder Integration fallout from CVE-2023-2088 2023-06-01 15:18:45 +00:00

project.yaml CI: Reduce overall test load 2022-10-10 08:32:20 -07:00